Mautic Projects Component Stored Cross-Site Scripting Vulnerability

A stored Cross-Site Scripting (XSS) vulnerability has been identified in the Projects component of Mautic version 7. This issue arises because user-supplied project names are displayed without adequate sanitization in administrative detail views, such as campaigns, emails, or forms. An authenticated user with the ability to create or edit projects can exploit this vulnerability by injecting malicious script payloads. When an administrative user interacts with an entity linked to the compromised project, the injected script executes in their browser session. This could enable the attacker to perform actions on behalf of the victim, modify system settings, or steal sensitive information.

Impact

Exploitation of this vulnerability allows for stored Cross-Site Scripting, where injected scripts are executed in the context of the user viewing the affected project. This could lead to unauthorized administrative actions, changes in system configurations, or exfiltration of confidential data.

Remediation

Users can upgrade to Mautic version 7.1.2 to address this vulnerability. For those using earlier versions of Mautic 7, it is recommended to restrict project creation and editing permissions to trusted administrative users.